Extortionists are threatening to publish the account information of a hacked banks’ customers unless they hand over cash.

According to Reuters, the group of unidentified hackers are targeting customers’ accounts at Valartis Bank Liechtenstein.

Located in the Alpine principality between Switzerland and Austria, the financial organization switched hands from the Swiss-listed Valartis Group to a Hong Kong-based holding company known as Citychamp Watch & Jewellery Group Ltd earlier this year.

As of this writing, the bank has yet to issue a comment publicly. It also didn’t respond to Reuters’s request for a private comment via phone or email on 27 November.

“Unknown hackers found their way into the Liechtenstein bank’s system and obtained customer account information, including that of many Germans…, … politicians, actors and high net worth individuals…

“The hackers are demanding 10 percent of the account balances, to be paid in Internet cryptocurrency Bitcoin to help preserve anonymity…”

In other words, the hackers want money from the bank’s customers, or else they’ll leak their account information online.

Is that a bad thing?

Potentially, yes.

Different countries have different ways of allowing people to withdraw money from their bank accounts. To process that kind of transaction, a criminal needs to have a valid bank account number and the routing number for the financial institution at which that account is held. But depending on how they attempt to withdraw money, they might need a physical card or photo identification.

The potential for fraud ultimately rests online, where an actor can abuse someone’s bank account number and routing number to submit an Automated Clearing House (ACH) transaction.

A bank can technically detect suspicious transactions through the use of anti-fraud measures. It could alert the user, for example, if they detect a money withdrawal from another country, but as we all know, bad actors can circumvent that obstacle through the use of the VPN.

Responsibility for detecting and reporting the fraud might therefore fall onto the user. If that’s the case, they might not have any choice but to close down their old bank accounts and open up a new one.

While Valartis Bank Liechtenstein figures out the best way to protect its users, it should disable online transactions. That will in the very least help prevent remote actors from stealing account holders’ money.

Under no circumstance should any of the affected customers meet the criminals’ demands.

3 Responses

I strongly suspect that the potential theft of funds from their accounts might not be the risk that is uppermost in the minds of at least some of the customers, rather it will be the prospect of just how much money they have salted away becoming public knowledge.

As Gordon Hay said -- pretty sure the monetisation model here is to blackmail account holders with the threat of exposing tax avoidance or evasion, or dodgy / corrupt transactions, or just to breach their privacy by revealing how much they’re worth or were paid for a particular job (or part, in the case of the alleged actors.)

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!